Created
February 20, 2017 21:35
-
-
Save derekbekoe/0ea6fd6cd31e5c3aef21150c4f7de429 to your computer and use it in GitHub Desktop.
A cloud-init file for creating an OpenVPN server (with 2 client profiles).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#cloud-config | |
apt_update: true | |
packages: | |
- openvpn | |
- easy-rsa | |
runcmd: | |
- IPADDR=$(dig +short myip.opendns.com @resolver1.opendns.com) | |
- gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf | |
- sed -i -e 's/;cipher DES-EDE3-CBC \# Triple-DES/;cipher DES-EDE3-CBC \# Triple-DES\ncipher AES-256-CBC/' /etc/openvpn/server.conf | |
- sed -i -e 's/dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf | |
- sed -i -e 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' /etc/openvpn/server.conf | |
- sed -i -e 's/;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS 208.67.222.222"/' /etc/openvpn/server.conf | |
- sed -i -e 's/;push "dhcp-option DNS 208.67.220.220"/push "dhcp-option DNS 208.67.220.220"/' /etc/openvpn/server.conf | |
- sed -i -e 's/;user nobody/user nobody/' /etc/openvpn/server.conf | |
- sed -i -e 's/;group nogroup/group nogroup/' /etc/openvpn/server.conf | |
- echo 1 > /proc/sys/net/ipv4/ip_forward | |
- sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf | |
- ufw allow ssh | |
- ufw allow 1194/udp | |
- sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw | |
- sed -i "1i# START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0]\n# Allow traffic from OpenVPN client to eth0\n\n-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES\n" /etc/ufw/before.rules | |
- ufw --force enable | |
- cp -r /usr/share/easy-rsa/ /etc/openvpn | |
- mkdir /etc/openvpn/easy-rsa/keys | |
- sed -i -e 's/KEY_NAME="EasyRSA"/KEY_NAME="server"/' /etc/openvpn/easy-rsa/vars | |
- openssl dhparam -out /etc/openvpn/dh2048.pem 2048 | |
- cd /etc/openvpn/easy-rsa && . ./vars | |
# Optionally set indentity information for certificates: | |
# - export KEY_COUNTRY="<%COUNTRY%>" # 2-char country code | |
# - export KEY_PROVINCE="<%PROVINCE%>" # 2-char state/province code | |
# - export KEY_CITY="<%CITY%>" # City name | |
# - export KEY_ORG="<%ORG%>" # Org/company name | |
# - export KEY_EMAIL="<%EMAIL%>" # Email address | |
# - export KEY_OU="<%ORG_UNIT%>" # Orgizational unit / department | |
- cd /etc/openvpn/easy-rsa && ./clean-all | |
- cd /etc/openvpn/easy-rsa && ./build-ca --batch | |
- cd /etc/openvpn/easy-rsa && ./build-key-server --batch server | |
- cp /etc/openvpn/easy-rsa/keys/server.crt /etc/openvpn | |
- cp /etc/openvpn/easy-rsa/keys/server.key /etc/openvpn | |
- cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn | |
- service openvpn start | |
- cd /etc/openvpn/easy-rsa && ./build-key --batch client1 | |
- cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- sed -i -e "s/;cipher x/cipher AES-256-CBC/" /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- sed -i -e "s/my-server-1/$IPADDR/" /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- sed -i -e 's/;user nobody/user nobody/' /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- sed -i -e 's/;group nogroup/group nogroup/' /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- sed -i -e 's/ca ca.crt//' /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- sed -i -e 's/cert client.crt//' /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- sed -i -e 's/key client.key//' /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- echo "<ca>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- echo "</ca>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- echo "<cert>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- openssl x509 -outform PEM -in /etc/openvpn/easy-rsa/keys/client1.crt >> /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- echo "</cert>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- echo "<key>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- cat /etc/openvpn/easy-rsa/keys/client1.key >> /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- echo "</key>" >> /etc/openvpn/easy-rsa/keys/client1.ovpn | |
- cd /etc/openvpn/easy-rsa && ./build-key --batch client2 | |
- cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- sed -i -e 's/;cipher x/cipher AES-256-CBC/' /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- sed -i -e "s/my-server-1/$IPADDR/" /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- sed -i -e 's/;user nobody/user nobody/' /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- sed -i -e 's/;group nogroup/group nogroup/' /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- sed -i -e 's/ca ca.crt//' /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- sed -i -e 's/cert client.crt//' /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- sed -i -e 's/key client.key//' /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- echo "<ca>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- echo "</ca>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- echo "<cert>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- openssl x509 -outform PEM -in /etc/openvpn/easy-rsa/keys/client1.crt >> /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- echo "</cert>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- echo "<key>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- cat /etc/openvpn/easy-rsa/keys/client1.key >> /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- echo "</key>" >> /etc/openvpn/easy-rsa/keys/client2.ovpn | |
- mkdir /home/openvpn | |
- cp /etc/openvpn/easy-rsa/keys/client1.ovpn /home/openvpn | |
- cp /etc/openvpn/easy-rsa/keys/client2.ovpn /home/openvpn | |
- chmod +r /home/openvpn/client1.ovpn | |
- chmod +r /home/openvpn/client2.ovpn |
Not working on a vanilla Ubuntu 18 VM
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Did you have to create a new install of OpenVPN AS on a centos / ubuntu machine w/ cloud-init enabled to be able to do this?
thanks